Table of Contents

EdgeRouter-X VPN Endpoint

AstLinux supports many different x86 (32-bit and 64-bit) hardware devices, so when a remote VPN endpoint is desired in your AstLinux constellation it makes sense to first consider yet another AstLinux solution. Quite often AstLinux is the best solution … familiarity, full-system firmware upgrades, and if true, you can quit reading any further.

As an alternative for a remote VPN endpoint, the Ubiquiti Networks EdgeRouter-X occupies a special sweet-spot of quality hardware and low price (currently, January 2019). While similarly priced to a Raspberry Pi complete system, the EdgeRouter-X has quality hardware designed for networking, including a built-in 5-port Gbit ethernet switch. Additionally, the EdgeRouter-X is less-than-half the cost of the least expensive multi-NIC x86 system required to run AstLinux.

Since the EdgeRouter-X is not x86 hardware, AstLinux will not run on it. The default EdgeRouter-X firmware is EdgeOS, documentation found here: EdgeOS User Guide. The WireGuard VPN is currently available for EdgeOS as a third-party wireguard-e50-<revision>.deb package found here: vyatta-wireguard.

Alternatively, the OpenWrt Project offers firmware specifically built for the EdgeRouter-X with impressive performance. The current standard 18.06.1 release performs NAT routing at near 1 Gbps line speed, and WireGuard VPN performance at around 180 Mbps. Quite reasonable for a 32-bit, 880 MHz CPU.

It could be said that the EdgeRouter-X with OpenWrt and the WireGuard VPN in the kernel is an ideal solution for a remote VPN endpoint. The rest of this documentation describes how to install the current release of OpenWrt 18.06.1 on a Ubiquiti Networks EdgeRouter-X (ER-X).

Flash ER-X with OpenWrt using AstLinux

It is assumed an AstLinux box is available for serving the OpenWrt firmware images.

Tip → AstLinux is not required here, you could use macOS, Linux, or even Windows to do the same, but using AstLinux makes sense as you probably have one laying around and are familiar with it.

Also required is a “USB-to-TTL Serial Cable” commonly used with development boards like the Raspberry Pi, BeagleBone Black, Arduino, etc. Search Amazon for “usb serial ttl”. A FTDI chipset is preferred, but a Prolific-PL2303 should also work. You also want the individual pins to be separate not molded together.

It is assumed the 1st LAN network of AstLinux is 192.168.101.1/24, adjust accordingly below if yours is different.

After a few seconds, no reboot needed, the LAN will now be a 10.1.1.0/24 network. If you were connected via a LAN device, you must change to https://10.1.1.1 to return to the OpenWrt web interface.

Generate a WireGuard Keypair

The OpenWrt web interface does not automatically generate a WireGuard keypair, which is good practice for the ER-X system without much entropy. It is better to use the AstLinux endpoint, or perhaps a Linux desktop, to generate the WireGuard keypair.

Paste the following three lines (all at once) into the shell command line anywhere WireGuard is installed…

Tip → Both Endpoint and PersistentKeepalive could be removed from the peer definition above if the AstLinux endpoint has a static public WAN IP address, thereby the OpenWrt endpoint would initiate and establish the VPN.

Add a WireGuard VPN interface

Network → Interfaces → { Add new interface… }

Enter wg0 for the interface name for “WireGuard VPN” protocol. Then Click “Submit”

Configure WireGuard VPN interface

Network → Interfaces → “WG0” → “General Setup”

Specify the “Private Key” (generated above) and set the “Listen Port” to 51820.

Specify the “Public Key” from the AstLinux remote WireGuard VPN Public Key.

The “Allowed IPs” are what networks are allowed in the tunnel, this simplest case is just the remote AstLinux WireGuard IP address. If you add additional remote networks, you will want to also check “Route Allowed IPs” to automatically generate routes via the tunnel for those networks.

After the peer is defined, “Save & Apply” changes and then restart WireGuard:

Network → Interfaces

WireGuard Firewall Setup on OpenWrt

In order to allow UDP/51820 traffic into OpenWrt, open a firewall port…